Whether it is EMV, NFC, HCE or TSP, there is certainly no shortage of acronyms within the payments ecosystem. And this is one trend that is here to stay.
The recent release of EMVCo’s updated payment tokenization specification has added yet another into the mix – Payment Account Reference (PAR). But what is PAR, why has it been introduced and what does it mean for the payments industry?
According to EMVCo, PAR is a "newly-defined data element that reduces reliance on primary account numbers (PAN) when managing security requirements and delivering value-added services." It has been introduced solely to support the process of
Tokenization reduces the value of stored payment credentials by replacing them with a "token." The token is a different number to the customer’s PAN, but with the same format, and can only be mapped to the original PAN by trusted parties.
Although this increases security, it also presents challenges. Consumers may pay using a payment card, or via any tokens such as the various "Smartphone Pays," card-on-file e-commerce and other platforms, that can be related to that one card. This results in a single PAN being linked to several tokens across different payment instruments and channels. As only the
As a consequence, their ability to deliver value-added services such as loyalty and couponing, and in some cases manage regulatory requirements or provide transaction risk scoring, is impacted. This is because these functions often rely on the ability to identify transactions at the aggregate PAN level to enable monitoring and analysis of consumer behaviour.
EMVCo asserts that the introduction of PAR addresses this issue as it allows PAN-based and related token-based transactions to be linked together, and enables the payments acceptance community to perform these functions consistently while maintaining security.
Although the idea underpinning PAR makes sense, industry feedback has been mixed so far. So, what does PAR really mean for the payments community and why is there industry hesitation?
One thing is for sure, implementing PAR is not going to be an easy ride. Firstly, PAR as a new and additional data element will need to be integrated into all authorization and clearing messaging.
PAR has a different length and format to the PAN, so merchants and acquirers will have to upgrade their back end systems to support and identify this new data element as the new index for merchant loyalty and acquirer risk management.
In addition, merchants will have to hold lookup tables to link a PAR with the original PAN and all of the various tokens that are associated with it. In practice, this means that merchants will hold data that maps the activity taking place within the token vault. In the specification’s current format, this raises various regulatory and compliance issues regarding the management and protection of data.
Further complexity is introduced by the fact that EMVCo has updated the underlying EMV Specifications to introduce new ‘tags’ supporting PAR for all EMV cards and terminals, as well as the ‘OEM Pay’ solutions and mobile applications.
The consequences of this update are profound, as this may require a complete recertification process across the entire payments industry. For those in the United States who are currently involved in a complex and drawn-out certification process following the EMV liability shift in October 2015, the thought of recertification is a painful one.
Such complexity is naturally accompanied by high costs. As PAR has been introduced to benefit merchants and acquirers, they will be expected to absorb the majority of the implementation costs. The key question, therefore, is whether the potential benefits justify the investment. In contrast, the issuer and processor community is set to gain little or no benefit from PAR, so any costs they face will be somewhat hard to swallow. As alternative options to PAR exist that also enable actors to deliver value-added services and regulatory requirements, there is a lot of work to do to convince the industry that the return on investment is sufficient.
It is not easy to introduce a brand new data element into the payments ecosystem. With applications to be recertified and system updates to be made, it will be many years until PAR is fully implemented across the entire payments industry. And if the industry feels compelled to drag its feet due to the lack of commercial imperatives, this process will be further elongated. More information is required, therefore, on the expected implementation timelines.
So, what does PAR mean for the payments industry? At present, the simple answer is that nobody is quite sure. More information on the benefits of PAR, as well as the compliance and regulatory issues that it has the potential to create across the entire payment ecosystem, is required. With such a wide-scale impact, you can expect to hear much more about PAR over the coming months.
David Worthington is vice president of business development for Bell ID.
